The present invention is directed to a method of administering a firewall which acts as a filter for determining access to an online service provider network, and more particularly, to a method of administering a firewall for preventing unauthorized access by a user to an online service provider network which can be dynamically updated and maintained.
Today, many people use personal computers both at their place of work and in their homes. These computers are used for many purposes including word processing, maintaining account and inventory records, playing games and educational enrichment. As a result of the popularity of personal computers, the cost of owning a computer has gone down making them more affordable.
The general availability of personal computers has spawned the popularity of the Internet and other marketed online services. Files or other resources on computers around the world may be publicly available to users of other computers through the collection of networks known as the Internet. The collection of all such publicly available resources, linked together using files written in Hypertext Mark-up Language (xe2x80x9cHTMLxe2x80x9d), is known as the World Wide Web (xe2x80x9cwebxe2x80x9d).
A user of a computer that is connected to the Internet may cause a program known as a client to request resources that are part of the web. Server programs then process the requests to return the specified resources. A standard naming convention has been adopted, known as a Uniform Resource Locator (xe2x80x9cURLxe2x80x9d). This convention encompasses several types of location names, presently including subclasses such as Hypertext Transport Protocol (xe2x80x9chttpxe2x80x9d), File Transport Protocol (xe2x80x9cftpxe2x80x9d), gopher and Wide Area Information Service (xe2x80x9cWAISxe2x80x9d).
The various resources accessible via the web are created and maintained by many different people on servers located all around the world, and may be created for many different purposes. Many individuals and businesses now have their own web sites that can be visited by people xe2x80x9csurfingxe2x80x9d the web. These web sites typically provide information on a myriad of subjects such as sports, business, news and even community events.
Online Service Providers (OSPs) provide access to the Internet by providing software to a user which allows the user to access the Internet via Points of Presence (POPs) which are typically operated and maintained by the OSP. When a user wishes to access the Internet, the user invokes a command that causes the computer, via a modem, to dial into the POP. The POP requests a user identification and password that is verified by the OSP. The POP then acts as a gateway to provide the user access to the Internet.
Many OSPs also provide additional online services or subscription services that are particular to that OSP such as, but not limited to, email, news, telephone, chat rooms and personal web pages and are available to those users who subscribe to the services. When the user is authenticated for access to the Internet, the user is also authenticated for access to these subscription services. Such services are commonly incorporated into the price that the OSP charges the user for subscribing to the service. It is to be understood that the terms xe2x80x9cuserxe2x80x9d and xe2x80x9csubscriberxe2x80x9d may be used interchangeably throughout the description of the present invention and refer to a person who is accessing the Internet or other online service via a particular OSP.
Because a user generally connects to the OSP via the telephone network, the availability of a local telephone number is a crucial consideration to a potential subscriber of the OSP. Since many subscribers spend a significant amount of time on the Internet, an incremental cost of a telephone call to connect to the OSP can be considered to be prohibitive. As such, OSPs usually employ multiple POPs to solicit the maximum number of subscribers to their service.
In order to extend accessibility to a particular OSP, it may be necessary to increase the number of POPs available to that OSP. One such way to accomplish this is to have a third party provide POPs which are then able to provide dial access to the OSP""s proprietary online services. However, the third party OSP may also provide dial access to subscribers of other OSPs. As described above, because each OSP typically provides customized online services in addition to access to the Internet, it is important that the third party POP be able to distinguish between different OSP subscribers and to only allow access of OSP specific services to subscribers of that particular OSP.
One way in which to ensure that access to different OSPs are restricted is to dedicate a limited number of Internet Protocol (IP) addresses within the total number of IP addresses available to the third party to each particular OSP. However, this creates an artificial restraint on the availability of IP addresses which could result in delays in gaining access to a particular online network.
In accordance with the present invention, a method of administering a firewall for preventing unauthorized access by a user to an OSP network which can be dynamically updated and maintained is disclosed. A firewall is a specialized filter that is used to provide security for a network, usually in an Internet protocol based network. The dynamic filtering firewall of the present invention allows two or more OSPs to make efficient re-use of scarce IP addresses and scarce resources. Information packets that are considered authorized to enter or egress an OSP protected network are either proxied by the firewall or allowed to pass through the firewall unchanged. Unauthorized packets are dropped.
The present invention allows for the dynamic assignment of IP addresses to subscriber end-users without requiring a second login to a firewall server. The firewall maintains a real-time, dynamic view of currently authenticated OSP network subscribers. Each authenticated subscriber is added to the list of authenticated subscribers contained in one or more tables of the firewall. The firewall is transparent to the subscriber in that the subscriber is unaware of what entity is controlling the subscriber""s access to the OSP network. Upon logging off the system, that subscriber is subsequently removed from the list.